Feature request - azurerm_firewall_policies base_policy_id not used

[sjackson0109]

Is there an existing issue for this?

• [X] I have searched the existing issues

Description

Searched and searched, i am unable to specify a parent_policy_key inside azurerm_firewall_policies.; in the aztfmod azurerm_firewall module, i did find base_policy_id but this nullifies an existing record (imported resource).

This capability is desired urgently.

REGION 1 ORG_POLICY - contains global allow/deny lists - rules to be automated later, from country specific ipdb entries. REGION 1 HUB POLICY - contains region specific NAT, NET and APP rules.

Region 1 and 2 policies of course should inherit the ORG policy!

New or Affected Resource(s

azurerm_firewall_policies

Current Versions:

Terraform v1.5.5 on windows_amd64

• provider registry.terraform.io/aztfmod/azurecaf v1.2.26
• provider registry.terraform.io/azure/azapi v1.6.0
• provider registry.terraform.io/hashicorp/azuread v2.39.0
• provider registry.terraform.io/hashicorp/azurerm v3.56.0
• provider registry.terraform.io/hashicorp/external v2.3.1
• provider registry.terraform.io/hashicorp/local v2.4.0
• provider registry.terraform.io/hashicorp/null v3.2.1
• provider registry.terraform.io/hashicorp/random v3.3.2
• provider registry.terraform.io/hashicorp/time v0.9.1
• provider registry.terraform.io/hashicorp/tls v4.0.4

Potential Configuration file

azurerm_firewall_policies = {
  # NOTES
  # 3x Policies to be created. uks_hub, ukw_hub which both inherit the org wide policy.
  # - ORG policy allows us to define GLOBAL Allow/Deny lists, such 
  #    as 'block russian isp ranges' These are managed as CORE network collections!
  # - uks/ukw policies are intended to be managed at the HUB layer with 
  #    network/application/nat collections
  org = {
    name               = "org-azfw"
    resource_group_key = "hub"
    region             = "uks"
    sku                = "Standard " #Basic, Standard or Premium
    ## Required if you want to use Network rules with FQDNs
  }
  uks_hub = {
    name               = "uks-hub-azfw"
    base_policy_id = "org"        ####### <<<<<<<<<<<<<<<<<< PARENT POLICY NEEDS TO BE ASSIGNED
    resource_group_key = "hub"
    region             = "uks"
    sku                = "Standard" #Basic, Standard or Premium
    ## Required if you want to use Network rules with FQDNs
    dns = {
      proxy_enabled = true
      servers = ["8.8.8.8","1.1.1.1"]
    }
  }
}

References

No response

[sjackson0109]

I tried to change the resource, import it and then re-plan changes...

Clearly aztfmod is not using the attribute, it's displaying null.

Terraform will perform the following actions:

  # module.aztfmod.module.azurerm_firewall_policies["uks_hub"].azurerm_firewall_policy.fwpol will be updated in-place
  ~ resource "azurerm_firewall_policy" "fwpol" {
      - base_policy_id                    = "/subscriptions/REDACTED/resourceGroups/HUB/providers/Microsoft.Network/firewallPolicies/TEST-fwnetrc-uks-org-azfw-policy" -> null
        id                                = "/subscriptions/REDACTED/resourceGroups/HUB/providers/Microsoft.Network/firewallPolicies/TEST-fwnetrc-uks-hub-azfw-policy"
        name                              = "TEST-fwnetrc-uks-hub-azfw-policy"
        tags                              = {}
        # (9 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

TIP: scroll to the right of the base_policy_id line...